Too little too late? NSA starting to implement ‘Snowden-proof’ cloud storage
The NSA is implementing a huge migration to custom-designed cloud architecture it says will revolutionize internal security and protect against further leaks by data analysts with unfettered access to classified information.
Put simply, the NSA hopes to keep future Edward Snowdens out by employing a cloud file storage system it built from scratch. A major part of the system is that all the data an analyst will have access to will be tagged with new bits of information, including that relating to who can see it. Data won’t even show up on an analyst’s screen if they aren’t authorized to access it, NSA Chief Information Officer Lonny Anderson told NextGov.
The process has been slowly taking place over the last two years following the Snowden leaks. This means any information stored after the fact now comes meta-tagged with the new security privileges, among other things.
The agency has Snowden to thank for expediting a process that was actually started in the aftermath of the September 11 attacks in 2001. The idea for storing all information on cloud servers had been in the making, but hadn’t come to fruition until it was too late.
Now it’s moving at an expanded pace to implement something called GovCloud, which is a scaled version of the NSA’s entire universe of mined data. It is set to become pre-installed on the computers of all 16 US intelligence agencies, a move that started with the NSA.
At first glance, the idea appears counter-intuitive. Edward Snowden pretty much used the fact that all the information was in one place to find what he needed and access it.
However, as Anderson explains, “While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time.”
The agency’s cloud strategist Dave Hurry explained the strategy further: “We don’t let people just see everything; they’re only seeing the data they are authorized to see.”
And if a situation arises where an employee needs access to information that’s off-limits, the program tells them who to ask to get it sorted out.
A further advantage to this is accelerating the analysis of the log data generated when an analyst wants to access particular information. Edward Snowden’s computer history, for some reason, did not set off any alarms until it was too late. That’s because the security logs had to be manually reviewed at a later time, NSA officials told NextGov.
They say this could have been averted with GovCloud, which would immediately raise a red flag if an analyst attempted to “exceed limits of authority.” The agency would have the former analyst in handcuffs before he managed to pack his bags for the airport.
GovCloud isn’t marketing itself as just a security feature that rescues the intelligence agencies from outdated practices and hardware. It is also touted as the answer to privacy advocates, who had a field day with the NSA when it turned out it was indiscriminately mining citizens’ communications.
“We think from a compliance standpoint, moving from a whole mess of stovepipes into a central cloud that has a lot more functionality gives us more capability,” Tom Ardisana, technology directorate compliance officer at NSA, said.
It’s not clear whether the general public will know if the NSA is ‘complying’, but its officials claim that GovCloud is a step in the right direction. Outdated hardware and an over-reliance on data centers built before the shifts in privacy and security policies meant the process of compliance had to be manual and tedious.
“Whenever you bolt on compliance to address a particular issue, there is always a second- and third-order effect for doing that,” Anderson continued. “It’s an extremely manual process. There is risk built in all over that we try to address. The cloud architecture allows us to build those issues in right from the start and in automated fashion address them,” he explained.
In broader terms, the new trend toward automation will also ensure analysts can drastically cut the time they spend on doing a whole plethora of tasks like cross-checking information between databases manually.
“It’s a huge step forward,” Anderson believes, adding how entire agencies - starting with the NSA and the Defense Department - were being transitioned into the new operating environment starting three weeks ago, meaning all their work tools and applications will now also have to be accessed from there.
Other agencies will follow, but for now it’s all about trial periods and seeing how smoothly the system works.
The agency hopes the move toward cloud computing will herald the end of data centers, although whether the system is hacker-proof remains to be seen.
Meanwhile, the privacy situation continues to spin out of control, as internet users worldwide struggle to trust their governments and intelligence agencies. They are reinventing their online behavior to cater for today’s reality after the loss of innocence in 2013.